Privacy and fairness in a variant of Prêt-à-voter Ben Smyth and Mark Ryan School of Computer Science The University of Birmingham
Electronic voting currently ● Electronic voting is eagerly being taken up by governments and other organisations the world over. – The situation in the USA ● Proprietary system, with weak security properties. “15 year old in garage could manufacture cards and sell them on the internet that would allow multiple votes” [Avi Rubin] ● “I voted party p1 and the system said `Thank you, we have recorded your vote for party p2.’ ” (Radio phone-ins, websites) ● Allegations of involvement of equipment supplier with a political party – The situation in Estonia ● Internet voting offered to entire electorate ● Authentication by smart cards ● Re-voting allowed, to combat coercion
Desirable properties of voting systems ● Desired properties of electronic voting systems – Eligibility: only eligible voters can vote, and only once. – Fairness: no early results can be obtained which could influence the remaining voters. – Privacy: no-one can link a voter and her vote. – Receipt-freeness: no receipt or other artifact is issued which would enable voter to prove how she voted. – Coercion-resistance: a voter cannot convince a coercer that she voted how he instructed.
Desirable properties of voting systems ● Some other properties – Individual verifiability: a voter can verify that her vote was counted. – Universal verifiability: a voter can verify that the published result is the tally of the votes cast. – Robustness: Voters cannot disrupt the election. Faulty behaviour tolerated. – Vote-and-go: Voters participate in one session.
Prêt-à-voter ● A voting scheme designed by Candidate Put X Chaum / P.Ryan / Schneider – Ballot papers have candidates listed in David a random rotation of the official list – An onion encodes the offset needed Tony to cycle back to the correct order – At vote time, the left-hand strip is Menzies detached and destroyed – The right-hand strip is given to the first Caroline of a series of Tellers ● each one decrypts a layer of the onion and Arthur computes a component of the offset ● then hands it on to the next one 7rJ#94iU
Prêt-à-voter Administrator Alice T2k-2 T2k-4 T2 T0 onion offset onion offset + v decr / subtr / mix oni off decr / subtr / mix decr / subtr / mix { } { } { } = onion g , g , ..., g , g , D ... − − 2 k 1 2 k 2 1 0 T T 0 T 1 − 2 k 3 T − 2 k 2 T 2 k − 1 d / s / m v = + + offset h ( g ) ... h ( g ) mod V − 2 k 1 0
Corrupt election officials ● Voting systems should be designed to work securely even if the election officials are corrupt – Fairness: results cannot be released before election closes. – Privacy: no-one can link a voter and her vote. – Coercion-resistance: a voter cannot convince a coercer that she voted how he instructed. ● PaV fails to satisfy these properties – The authority that issues the ballot papers can reveal the vote without the need of the tellers (breaking fairness ) – And it can link the ballot paper with the published results (breaking privacy and coercion-resistance )
Fixing PaV ● In PaV, the onion is constructed by the authority { } { } { } = onion g , g , ..., g , g , D ... − − 2 k 1 2 k 2 1 0 T T 0 T 1 2 k − 3 T − T 2 k 2 − 2 k 1 ● The authority can link onion and offset, and therefore compute the vote from the info posted on the bulletin board. Hence privacy (and therefore coercion-resistance) and fairness fail. ● Even if the voter constructs the onion, coercion resistance fails. She can prove an onion (and hence a vote) is hers by demonstrating knowledge of the germs g i . From these, the onion and the corresponding offset can be constructed.
Better fix for PaV ● The voter constructs an onion with help from the tellers T0 {g 0 0 } T0 {g 0 1 } T1 {g 0 2 } T2 . . . o0 T1 {g 1 0 } T0 {g 1 1 } T1 {g 1 2 } T2 . . . o1 T2 {g 2 0 } T0 {g 2 1 } T1 {g 2 2 } T2 . . . o2 T3 {g 3 0 } T0 {g 3 1 } T1 {g 3 2 } T2 . . . o3 . . . . . . . . . c0 c1 c2 { } { } { } = onion c , c , ..., c , c , D ... − − 2 k 1 2 k 2 1 0 T T 0 T 1 − 2 k 3 T − 2 k 2 T − 2 k 1
Better fix for PaV − − − ∏ − 2 k 1 2 k 1 2 k 1 2 k 1 ∏ ∏ ∏ { g } , { g } , ..., { g } , { g } , D ... − − i , 2 k 1 T i , 2 k 2 T i , 1 T 0 T − − 2 k 1 2 k 2 1 0 = = = = i 0 i 0 i 0 i 0 T 0 T 1 T − T 2 k 3 − 2 k 2 T − 2 k 1 ● No-one knows all the g ij ‘s, and no-one (except the voter) knows the offset. The voter can show the coercer how to reconstruct the onion, but she can’t convince him about the offset.
Properties of fixed PaV ● Privacy ● Fairness ● Coercion-resistance holds except that the voter can prove to the last teller how she voted. (Can probably be fixed too!)
P.Ryan / Peacock variant ● Also a solution which relies on distributing the construction of the ballot. – so that the relation between the ballot and the offset is not learned by any entity. Candidate Put X Candidate Put X Candidate Put X David Tony Menzies Caroline Arthur hY7^8FG 7rJ94iU hY7^8FG 7rJ94iU 7rJ94iU
Do we need privacy and coercion-resistance ● In the UK? ● In the USA? ● What about Zimbabwe?
Recommend
More recommend